1 files changed, 15 insertions, 10 deletions

diff --git a/src/common.c b/src/common.c
index 3e54ca9..2c0cb87 100644
--- a/src/common.c
+++ b/src/common.c
@@ -341,7 +341,7 @@ printEndpoint (const UA_EndpointDescription *endpoint, size_t index)
 UA_Server *
 createServer (UA_UInt16 port, const char *applicationUri, const char *certPath,
               const char *keyPath, char **trustPaths, size_t trustSize,
-              UA_StatusCode *retval)
+              UA_Boolean discoveryOnly, UA_StatusCode *retval)
 {
   UA_Server *server = UA_Server_new ();
   UA_ServerConfig *config = UA_Server_getConfig (server);
@@ -360,18 +360,23 @@ createServer (UA_UInt16 port, const char *applicationUri, const char *certPath,
           config, port, &certificate, &privateKey, trustList, trustSize, NULL,
           0, NULL, 0);
 
-      /* Also offer SecurityPolicy#None, but restricted to discovery
-         services (FindServers, GetEndpoints) so that unencrypted clients
-         can still discover the server without being able to open a
-         full session.  We must add both the security *policy* (so the
-         server accepts None SecureChannels) and the *endpoint* (so the
-         None endpoint appears in GetEndpoints responses — required by
-         the open62541 client's internal endpoint negotiation). */
+      /* Always add SecurityPolicy#None so that clients can open an
+         initial unencrypted SecureChannel for the GetEndpoints
+         handshake, then reconnect with the selected secure policy.
+         Restrict None channels to discovery services only so that
+         nobody can open a full session without encryption.
+
+         When discoveryOnly is true (LDS) we also register a None
+         *endpoint* so that purely unencrypted clients can discover
+         the server — the open62541 client's internal endpoint
+         negotiation requires a matching endpoint in the
+         GetEndpoints response. */
       if (*retval == UA_STATUSCODE_GOOD)
         {
           UA_ServerConfig_addSecurityPolicyNone (config, &certificate);
-          UA_ServerConfig_addEndpoint (config, UA_SECURITY_POLICY_NONE_URI,
-                                       UA_MESSAGESECURITYMODE_NONE);
+          if (discoveryOnly)
+            UA_ServerConfig_addEndpoint (config, UA_SECURITY_POLICY_NONE_URI,
+                                         UA_MESSAGESECURITYMODE_NONE);
           config->securityPolicyNoneDiscoveryOnly = true;
         }